summaryrefslogtreecommitdiffstats
path: root/iptables.c
Commit message (Collapse)AuthorAgeFilesLines
* iptables: print negation extrapositionedJan Engelhardt2009-04-041-6/+6
| | | | | | | | | | | | | | This patch combines the two referenced ones by Peter. I did a quick extra audit to spot and fix the missing ip6tables parts. (People like to forget ip6tables it seems.) Extension modules were, to the best of my knowledge, already audited in v1.4.3-rc1-10-gcea9f71. Reported-by: Yar Odin <yarodin@gmail.com> References: http://bugs.gentoo.org/264089 Reported-by: Peter Volkov <pva@gentoo.org> References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2 References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge commit 'nf/master'Jan Engelhardt2009-03-151-2/+1
|\
| * iptables: fix broken options-merging during libxtables reworkPablo Neira Ayuso2009-03-031-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes options-merging that was broken somewhere during the libxtables rework. Before this patch, two pointers were used to keep the current options, however, the options field in xt_params was not appropritely updated. Thus, xtables_free_opts() was not restoring the original options. This patch fixes iptables-restore and ip6tables-restore that stopped working in my personal firewall. % iptables-restore *filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables-restore v1.4.3-rc1: Unknown arg `ESTABLISHED,RELATED' Error occurred at line: 4 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: turn deprecation warning into enforcing modeJan Engelhardt2009-03-151-4/+3
|/ | | | | | | The deprecation warning was added 7 months ago in v1.4.2-rc1-13-g1eada72 with a warning "next release". Next release is coming up, so enforce it. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix exit_error to xtables_errorJan Engelhardt2009-02-211-38/+38
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: resynchronize manpage with in-code helpJan Engelhardt2009-02-211-2/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: general follow-up cleanupJamal Hadi Salim2009-02-131-9/+9
| | | | | | Kill program_name, program_version and xtables_program_name. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: consolidate init calls into one functionJamal Hadi Salim2009-02-131-1/+0
| | | | | | | | | | | Introduce xtables_init_all() which hides three calls xtables_init(), xtables_set_nfproto(), and xtables_set_params(). Make ip[6]tables-restore, ip[6]tables-save and ip[6]tables-standalone use it. I moved xtables_set_params around for readability reasons. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: consolidate merge_options into xtables_merge_optionsJamal Hadi Salim2009-02-131-36/+3
| | | | | | | | Introduce xtables_merge_options() for re-use reasons. Apps can use it instead of each defining their own merge_options(). Made iptables and ip6tables use the new shared interface. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: make iptables and ip6tables use xtables_free_optsJamal Hadi Salim2009-02-121-15/+6
| | | | | | | | The patch modifies xtables_globals to introduce orig_opts and xtables_free_opts() to emulate what free_opts used to do. We also get rid of the copies of free_opts() that iptables and ip6tables keep. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: add xtables_set_revisionJamal Hadi Salim2009-02-121-12/+4
| | | | | | Introduce xtables_set_revision() and make iptables and ip6tables use it. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: set names of programsJamal Hadi Salim2009-02-121-1/+0
| | | | | | Set proper name of application. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2009-02-121-12/+12
|\
| * src: remove iptables_rule_match indirection macroJan Engelhardt2009-02-101-12/+12
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libxtables: simple aliasing macro for exit_errorJamal Hadi Salim2009-02-111-2/+4
| | | | | | | | | | | | | | | | | | | | | | Rename xtables_globals exit_error cb to exit_err and introduce a very simple aliasing macro to point to it. convert iptables, ip6tables and iptables_xml to use it. Note iptables_xml does not have to define its own exit_error() since it can use the basic one provided. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | libxtables: Make ip6tables, iptables and iptables-xml use xtables_globalsJamal Hadi Salim2009-02-111-0/+9
|/ | | | | | | | convert ip6tables, iptables and iptables-xml to use xtables_globals/xtables_set_params() Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxtables: move afinfo aroundJan Engelhardt2009-02-071-9/+0
| | | | | | | libxtables should not rely on the program executable providing the magic constants for using [gs]etsockopt. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - move parse_protocol to xtables.cJan Engelhardt2009-01-301-65/+10
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - move check_inverse to xtables.cJan Engelhardt2009-01-301-25/+5
| | | | | | | This also adds a warning that intrapositional negation support is deprecated. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix - parse and escaped output funcJan Engelhardt2009-01-301-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix - misc functionsJan Engelhardt2009-01-301-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - ipaddr/ipmask to ascii outputJan Engelhardt2009-01-301-6/+6
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - param_actJan Engelhardt2009-01-301-1/+1
| | | | | | | | Changes: exittype -> xtables_exittype P_* -> XTF_* flags Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - strtouiJan Engelhardt2009-01-271-3/+3
| | | | | | This commit also throws out the redundant string_to_number_*. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - match/target loadingJan Engelhardt2009-01-271-20/+25
| | | | | | | | | This change affects: find_{match,target} -> xtables_find_{match,target} enum xt_tryload -> enum xtables_tryload loose flags like DONT_LOAD -> XTF_DONT_LOAD Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - modprobe and xtables.ko loadingJan Engelhardt2009-01-271-2/+3
| | | | | | | | | This change affects: load_xtables_ko -> xtables_load_ko modprobe_program -> xtables_modprobe_program Now uses bool for the "quiet" flag. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - fw_xallocJan Engelhardt2009-01-271-7/+7
| | | | | | | | | | | | It is good practice to prefix names in a library some way so that it does not clash with external programs' variable names right on the first try. This change: rename fw_[cm]alloc to xtables_[cm]alloc and move the definition from internal.h to xtables.h to avoid potential compiler warnings. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: use UINT_MAX constants over open-coded numbers (2/2)Jan Engelhardt2009-01-271-2/+2
| | | | | | Use the handy constants for ranges. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: fix error reporting with wrong/missing argumentsPablo Neira Ayuso2008-11-191-1/+18
| | | | | | | | | | | | | | | | This patch fixes wrong error reporting when arguments are missing: # iptables -I INPUT -m state --state iptables v1.4.2-rc1: Unknown arg `(null)' Try `iptables -h' or 'iptables --help' for more information. or wrong: # iptables -I INPUT -m state --xyz iptables v1.4.2-rc1: Unknown arg `(null)' Try `iptables -h' or 'iptables --help' for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use NFPROTO_ constantsJan Engelhardt2008-11-181-1/+1
| | | | | | | | Resync netfilter.h from the latest kernel and make use of the new NFPROTO_ constants that have been introduced. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: remove indirectionsJan Engelhardt2008-11-101-35/+35
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: remove typedef indirectionJan Engelhardt2008-11-101-16/+16
| | | | | | | | | | | Don't you hate it when iptc_handle_t *x actually is a double-indirection struct iptc_handle **? This also shows the broken constness model, since "const iptc_handle_t x" = "iptc_handle_t const x" = "struct iptc_handle *const x", which is like no const at all. Lots of things to do then. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Synchronize invert flag order with manpagesJan Engelhardt2008-08-131-6/+6
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Warn about use of DROP in nat tableJan Engelhardt2008-08-131-0/+8
| | | | | | | Consensus is that we should warn for now. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables-restore: fix segmentation fault with -tanythingJan Engelhardt2008-08-041-3/+2
| | | | | | | | | | | | | | | | | | | | Reference: Debian bug #458042 iptables-restore must not pass a table into do_command. It checks for "-t arg" and "--table arg", but not "-targ". (On a related note, using -targ does not work as expected). This should fail gracefully, but crashes: iptables-restore <(echo -e '*filter\n-A INPUT -tx\nCOMMIT') And this should use table "filter", or perhaps raise an error, but instead sets the table to (literally) "-tfilter": iptables -tfilter -A INPUT Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables: fix printing of line numbers with --line-numbers argHenrik Nordstrom2008-06-131-1/+1
| | | | | | | Commit bb34082d ("iptables --list chain rulenum") broke the line numbering, starting with printing an offset of 2. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Make --set-counters (-c) accept comma separated countersHenrik Nordstrom2008-05-131-4/+7
| | | | | | | | | | | | Here is the --set-counters syntax patch requested earlier today making --set-counters (-c) accept comma separated counts. -c packets,bytes I have not updated the manpage to reflect this alternate syntax for the --set-counters (-c) option. Henrik Nordstrom <henrik@henriknordstrom.net>
* iptables --list chain rulenumHenrik Nordstrom2008-05-131-15/+31
| | | | | | | | | | | | Excent --list (and --list-rules) to allow selection of a single rule number iptables --list INPUT 4 iptables --list-rules INPUT 4 list rule number 4 in INPUT. Henrik Nordstrom <henrik@henriknordstrom.net>
* iptables --list-rules commandHenrik Nordstrom2008-05-131-15/+274
| | | | | | | | | | | | | | | | | | Adds iptables --list-rules (-S) command, acting as a combination of iptables --list and iptables-save. The primary motivation behind this patch is to get iptables-save like output capabilities in iptables-restore, allowing "iptables-restore -n" to be used as a consistent API to iptables for all kind of operations, not only blind updates.. As a bonus iptables also gets the capability of printing the rules as-is. This completely replaces the earlier patch which added the --rules option. Henrik Nordstrom <henrik@henriknordstrom.net>
* Add support for --set-counters to iptables -PHenrik Nordstrom2008-05-121-2/+2
| | | | | | | | Adds support for setting the policy counters iptables -P INPUT -J DROP -c 10 20 Henrik Nordstrom <henrik@henriknordstrom.net>
* Remove old functions, constantsJan Engelhardt2008-04-151-19/+7
|
* iptables: use C99 lists for struct optionsGáspár Lajos2008-04-141-32/+32
|
* manpages: grammar and spellingJan Engelhardt2008-04-131-1/+1
|
* Fix all remaining warnings (missing declarations, missing prototypes)Jan Engelhardt2008-04-131-3/+1
|
* Fix -Wshadow warnings and clean up xt_sctp.hJan Engelhardt2008-04-061-6/+6
| | | | | Note: xt_sctp.h is still not merged upstream in the kernel as of this commit. But a refactoring was really needed.
* whitespace cleanupMax Kellermann2008-01-291-13/+13
| | | | Max Kellermann <max@duempel.org>
* rename overlapping function namesJan Engelhardt2008-01-201-194/+4
| | | | | | Rename overlapping function names. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* bunch o' renamesJan Engelhardt2008-01-201-78/+6
| | | | | | | | Move a few functions from iptables.c/ip6tables.c to xtables.c so they are available for combined (both AF_INET and AF_INET6) libxt modules. Rename overlapping function names. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* - cleanup several code wraparoundsPablo Neira Ayuso2008-01-171-4/+21
| | | | | - check for malloc() return value in merge_opts() - check for merge_opts() return value
* [PATCH iptables] print warnings to stderrMax Kellermann2007-10-171-3/+4
| | | | | | | | iptables prints some of its error messages and warnings to stdout. This patch applies to svn r7075 and will make iptables print diagnostic messages to stderr instead. Signed-off-by: Max Kellermann <max@duempel.org>